01 December 2020

Pcap Header

Format pcap file 



Dalam Global Header, ada timzone info.

Dalam Packet Header ada timestamp.

Dalam Packet Data ada network traffic yg lalu (dihantar/diterima) NIC tersebut.


Packet vs Frame

Frame is refer to data link layer
Packet refer to network layer




Ref:

- https://www.elvidence.com.au/understanding-time-stamps-in-packet-capture-data-pcap-files/



30 November 2020

winlogbeat -> logstash -> elastic

 good tutorial here




Creating Template for elastic index

 Elastic will auto create index when it receive request from client.

If the index state by the client not exist, it will auto create it base on template.


List of available template:

    GET /_template


To put new template:

PUT /_template/supertimeline
{
    "index_patterns": "st-*",
    "settings": {
        "index" : {
        "refresh_interval": "10s" ,
        "number_of_shards" : 20,
        "number_of_replicas" : 1
        }
    }
}

Edit Pcap guna Scapy

 Scapy adalah library python yang boleh digunakan untuk edit packet dalam dalam fail pcap.


Cara nak tukar timestamp pada setiap packet


from scapy.all import *

pkts = rdpcap(infile)
for p in pkts:
    p.time = p.time + tukar
    pmod=p
    cooked.append(pmod)

wrpcap("out.pcap", cooked) 

 



Cara nak tukar mac address

mac_asal = a
mac_baru = b

if ARP in p:
    if p[ARP].hwsrc == mac_asal
           p[ARP].hwsrc = mac_baru



11 November 2020

Windows command Line

enable/disable firewall

netsh advfirewall set  currentprofile state off

netsh advfirewall set  allprofiles state off



enable file sharing:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes, and hit Enter.



create share folder:

net share Public=s:\Public /GRANT:Everyone,FULL
net share share_folder_name /delete


map share folder:
net use Z: \\computer_name\share_name /PERSISTENT:YES
net use  Z: /delete


Copy folder recursive:
Xcopy C:\test D:\test /E /H /C /I
  • /E – Copy subdirectories, including any empty ones.

  • /H - Copy files with hidden and system file attributes

  • /C - Continue copying even if an error occurs.

  • /I - If in doubt, always assume the destination is a folder. e.g. when the destination does not exist.




  • sd

























22 September 2020

ssh account for upload files only (SSH)

SFTP Setup:
/etc/ssh/sshd_config:

    Subsystem sftp internal-sftp
    Match Group sftpusers
    PasswordAuthentication yes
    ChrootDirectory /srv/sftponly
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Adding the sftp group:
    groupadd sftpusers

Creating the only account for SFTP Access
    useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
    passwd sftpuser

Restart openssh:
    /etc/init.d/ssh restart

Setting Permission for the directory
chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly

Making a Public Directory:
mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/



 ref

https://www.unix.com/unix-for-advanced-and-expert-users/238265-sftp-resticting-only-uploading-file.html

21 September 2020

Install winlogbeat

# Test Winlogbeat Configuration
winlogbeat.exe test config -c winlogbeat.yml -e    





If you want to send to LOGSTASH instead directly to elastic:
...
...

#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]

...
...

output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]

...
...




Install/Uninstall Service:
# Install Service
.\install-service-winlogbeat.ps1

# Uninstall Service
.\uninstall-service-winlogbeat.ps1